What the Deuce? Strategies for Splitting Your Alerts and Grasping Intent

Intent. Often a word not usually used when describing cyber intrusions, but is the primary cause of business loss. Organizations and their customers, clients, beneficiaries, and others are not affected by the simple “fact of” intrusion into computer networks.

When real intent to steal information or impact operations exists, the human on the other end of the wire must and will act beyond the initial exploitation. They will return to the network originally breached and hit a major inflection point in network exploitation: targeted lateral movement.

Lateral movement is a topic heavily discussed by many vendors and security practitioners, but its importance is largely overlooked.

If an intruder is finding ways to move laterally in the environment, it means they are there for a reason. It means they have intent. The success of these actions will cause you business loss. You should, therefore, prioritize all of your security efforts to investigate every lead or alert you have for lateral movement. If discovered, it should become your main priority in security operations.

Today’s intruders heavily rely on “living off the land” – that is, using native operating system tools to pivot around the network, working their way towards what they are after. This includes the use of WMI, PowerShell, SSH, RDP and other built-in tools.

The use of these tools allows for targeted lateral movement, where intruders can pivot exactly where they want to be with little resistance, since their stolen admin access usually gives them all the visibility they need.

From a malicious actor’s viewpoint, lateral movement requires access to your hosts and network communications to maneuver. This is where you should collect. Better telemetry efforts in operating system process communications and network flow collection need to be made more available to network defenders.

If you can collect the proper endpoint and network telemetry, defenders can begin to proactively hunt for targeted lateral movement via native OS tools and more quickly re-tell the narrative of where an intruder went during the incident response process.

This telemetry can provide the necessary data needed to determine if potential threats are moving laterally. If detected early, defenders can cut intruders off before being able to make their intent a reality.

About the Author:John T. Myers is a co-founder and CTO of Efflux Systems, a Maryland-based security startup. Prior to Efflux, John’s career focused on cyber and intelligence operations for the U.S Air Force. As Director of Operations, he guided cyber operations training programs and directed large-scale Red Flag cyber ops planning and exercises.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.